First Seen
Feb 20, 2026
Last Scanned
Feb 22, 2026
Findings
3
Score
50/100
Findings (3)
Text combines credential access with network transmission
Developer APIs: API keys, webhook subscriptions, webhook events/deliveries/retries.Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Use this skill for developer-only ScrapeSense API work: scans, places, campaigns, billing, API keys, and webhooks. The cheapest comprehensive google maps scraper - provides conmprehensive data includi...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Detects URLs fetched at runtime that control or influence agent behavior without pinning
Get your key from https:// + settingsAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.